Dangerous WebRAT Malware Now Being Spread by GitHub Repositories

The rise of supply‑chain attacks has pushed attackers to exploit the credibility of popular development hubs. GitHub, with its massive user base, offers an attractive vector for malicious actors who can embed harmful code in seemingly legitimate repositories. By leveraging generative AI, these criminals produce convincing proof‑of‑concept write‑ups that lure security researchers and developers into downloading malicious payloads, blurring the line between legitimate research and infection vectors.

Technical analysis of the WebRAT campaign reveals a multi‑stage payload. The initial ZIP archive contains a decoy DLL and a batch script, but the core component is rasmanesc.exe, a dropper that escalates privileges, disables Windows Defender, and fetches the WebRAT backdoor. Once active, WebRAT functions as both an infostealer and surveillance tool, exfiltrating credentials from platforms like Steam, Discord, and Telegram, stealing cryptocurrency wallet data, and even capturing webcam footage. Its modular design allows rapid adaptation to new targets, making it a potent threat for any compromised system.

GitHub’s swift removal of the fifteen malicious repositories mitigates further spread, yet the incident serves as a cautionary tale for the broader developer community. Organizations must enforce strict verification of third‑party code, employ reproducible builds, and monitor for typosquatted packages. Security teams should also educate researchers on the risks of downloading unverified PoC exploits. As AI lowers the barrier for creating convincing malicious artifacts, continuous vigilance and layered defenses become essential to protect the software supply chain.